The Web Security Mailing List

UPDATED: 1/30/06 Response from Author
"Just to inform you that the malicious code mentioned to you was
actually partly research for the paper. If you take a look at the
latest version (with lynx if you like), I now refer to the clipboard
issue in issue 3 (this was introduced in 1.2.0 of my paper. The code
that was previously included in the page simply logged a 404 in my
error logs for each success, I'm intending to run these logs through a
log processor so that I can get a better understanding of vulnerable IE
versions still in the wild and whether there is a significant variation
in success dependent on the carrier web site.

To clarify, the code itself has been removed. Once the balloon
went up, as it were there was no further benefit in keeping it there,
since any future results would be quickly be skewed by publicity.

From what I understand, the clipboard issue only affects IE. The point
of the paper is that legitimate features can be used in an unorthodox
manner and that these features carry far more risk than is currently
perceived by many people including those in the industry. XSS attacks
aren't just about stealing cookies. IMO a feature such as this, which
was flagged up in 2002 should by now have been dealt with and yet it
has been allowed to remain.

I make the point in my paper that really it would be
beneficial for far more granular security to be put in place within
browsers which should include the use of PKI signing of Javascript
code. This would allow browsers to correctly identify legitimate
Javascript introduced by the developer as opposed to rogue code
introduced via a XSS attacks. The overall risks highlighted in the
paper are faced by every single one of us on a daily basis and
therefore need to be better understood." - Tim

1/29/06 IMPORTANT UPDATE:
A viewer has brought to my attention that the site linked in this story contains malicious javascript using a well
known vulnerability to copy clipboard data and send it to an attackers site. For this reason I have removed the clickable
link. If you want to read more about this article be warned of the URl that you are going to visit. - CGISecurity Staff

"Some months back, a colleague and I were kicking around some ideas for
a cross platform XSS born virus[1]. He ended up writing a paper on it
and I didn't. Whilst it is common to see the issue of Javascript
injection on the various security oriented mailing lists, there are
issues I've not seen much mention of, this paper seeks to rectify
that." - Tim Brown